oupala

I agree that I don't think we can avoid loading external images. But why do annotation system needs inline js and css?

So if you're clear about CSP (and you're in the top-3 commiter of wallabag), I think that wallabag should either: - manage the CSP itself (to use the best CSP...

@j0k3r I agree with you, the best solution is that Wallabag declare its own CSP. This is the best solution as the CSP could be different depending on the page....

Here is my Content Security Policy: > Content-Security-Policy "upgrade-insecure-requests; default-src 'self' 'unsafe-inline'; img-src 'self' https:; frame-ancestors 'none' If @j0k3r, @tcitworld or @Crocmagnon (or anyone else) want to discuss this topic,...

My last comment was not good: it is not a good practice to allow "unsafe-inline" as a default src. And Wallabag seems to work very well without this *unsafe* directive....

Here is my current CSP rule : > Content-Security-Policy "upgrade-insecure-requests; base-uri 'self'; default-src 'self'; script-src 'self' 'unsafe-inline'; img-src 'self' https:; frame-ancestors 'none' Images are only authorized if they come from...

Allowing `'unsafe-inline'` is indeed a bad option from a security point of view. How ever, not allowing `'unsafe-inline'` prevent the browser from executing some required javascript code, which break the...

@hydrargyrum As your CSP rule is the same as mine, I would answer that *yes*, this is sufficient. Were you expecting another answer?

In the issue, I was asking if node images were affected by the certificate expiration. My experience is that "yes", node images are affected by this problem.

@mattjhammond Next time, please open a new issue as your issue is not the same as the one in the title. One thread = one subject => clean language.